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A  Hacker’s  Opportunity  is  Target  Rich! 


*  Enterprise 

-  Personal 

-  Credit  Card 

t  Government 

-  Military  secrets 

-  Nuclear  Information 

-  Medical  Records 

-  Criminal  Records 

-  Classified  Secrets  and  Information 

-  Control  of  Physical  Infrastructure 

•  Power 

•  Electrical 

•  Water 
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Hacking  Hotspots  and  Trends 


WESTERN  EUROPE 

Cyber-activists  with 
anti-global/anti- 
capitalism  goals; 
some  malicious  code 


U.S. 

Multiple  hacker/cyber¬ 
activist/ hacktivist 
groups;  random  targets 
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Ml  DDLE  EAST 

Palestinian  hackers  target 
Israeli  websites;  some 
pro-Israel  activity 


INDIA- PAKISTAN 

Worldwide  targets, 
Kashmir-related  and 
Muslim-related 
defacements 
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Happening  Now 


#  Twitter  DDOS 

#  DDOS  attacks  in  Estonia 

#  Attacks  on  Booz  Allen  Hamilton 


Breach  of  defense  contractor  computers  that  let 
hackers  get  at  information  on  the  Joint  Strike  Fighter 


#  Power  grid  compromised 

#  Repeated  attacks  on  .gov  websites 

#  Real  growing  threat  of  cyber  terrorism 

#bivio 

fF  NCThlOrftS 


©2010  Bivio  Networks,  Ir 


c  v*‘  > 

\Jfystems  £  Software 
Technology  Conference 


Exploitation  Evolution 


#  While  we  look  at  the  evolution  trend,  it  should  be  noted  that  the  less 
severe  exploits  have  not  gone  away.  They  still  exist  today  and  have 
even  increased  in  numbers.  The  problem  is  that  we  also  have  to 
deal  with  exploits  that  now  affect  our  national  security. 


Experimentation  /  Notoriety 


Hacktivism  /  Defacements 


Criminal  Enterprise 
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Threats  T oday 


Malware 

-  Worms 

-  Trojans 

-  Rootkits 

-  Spyware 
Botnets 
Remote  &  Local  Exploitation 


Good  News:  New  Government  Initiatives  Underway! 
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CNCI  Overview 


Hie  Comprclicusivc  National  Cybcrsccurity  Initiative 


*  Cybersecurity  has  been  called  “one  of  the  most  urgent 
national  security  problems  facing  the  new  administration.”1 

^  The  CNCI  “establishes  the  policy,  strategy,  and  guidelines 
to  secure  federal  systems.”2 

*  A  program  called  to  unify  agencies’  fragmented  approach 
to  cyber  security  within  the  federal  government. 


(1 )  Center  for  Strategic  and  International  Studies,  Securing  Cyberspace  for  the  44th  Presidency: 

A  Report  of  the  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency  (2008). 

(2)  Department  of  Homeland  Security,  Fact  Sheet:  DHS  2008  End  of  Year  Accomplishments  (Dec.  18,  2008), 
http://www.dhs.gov/xnews/releases/pr_1229609413187.shtm. 
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12  Main  Components  of  the  CNCI 

#  Trusted  Internet  Connection 

#  Intrusion  Detection 

#  Intrusion  Prevention 

#  Research  and  Development 

#  Situational  Awareness 

#  Cyber  Counterintelligence 
Classified  Network  Security 

#  Cyber  Education  and  Training 
Implementation  of  Info  Security  Technologies 

#  Deterrence  Strategies 

#  Global  Supply  Chain  National  Security 

#  Public/Private  Collaboration 
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Two  Initiatives  of  CNCI 


Einstein  2 

-  EINSTEIN  2  capability  enables  analysis  of  network  flow 
information  to  identify  potential  malicious  activity  while 
conducting  automatic  full  packet  inspection  of  traffic  entering  or 
exiting  U.S.  Government  networks  for  malicious  activity  using 
signature-based  intrusion  detection  technology 

Einstein  3 

-  The  goal  of  EINSTEIN  3  is  to  identify  and  characterize 
malicious  network  traffic  to  enhance  cybersecurity  analysis , 
situational  awareness  and  security  response.  It  will  have  the 
ability  to  automatically  detect  and  respond  appropriately  to 
cyber  threats  before  harm  is  done,  providing  an  intrusion 
prevention  system  supporting  dynamic  defense. 


#bivio 

rr  NGTwonts 


©2010  Bivio  Networks,  Ir 


_ terns  &  Svffrare 

Technology  Conference 


A  Transforming  Network 

&  Explosion  in  usage,  applications,  devices,  protocols 
^  Basic  networking  problems  remain 

-  Security 

-  Information  assurance 

-  Cyber  defense 

-  Awareness 

-  Control 

#  Network  role  transition  from  connectivity  to  policy 

#  Key  Enabling  Technology:  Deep  Packet  Inspection 


What  is  Deep  Packet  Inspection  (DPI)? 

*  Set  of  technologies  enabling  fine-grained  in-depth 
processing  of  network  traffic 

*  Not  a  solution  or  an  application! 


Packet  Header  Layers  Packet  Payload  /  Application  Layers 


Deep  packet  inspection  is  used  for  a  variety  of 
protocol-aware  networking  functions  including: 

■  Prevention  of  security  violations 

■  Statistical  traffic  analysis 

■  Flow  metering 

■  Content-based  billing 
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Cyber  Security:  Why  DPI? 

'o'  L3/4  analysis  clearly  not  granular  enough 

-  Source/Destination  often  insufficient  or  totally  irrelevant 

'o'  Most  information  including  viruses,  worms,  and  bots  is  in 
the  payload 

-  Deeply  embedded 

-  Context  dependent 

-  Dynamic 

'o'  Tunneling  makes  outer  protocols/headers  insufficient 
*  Correlation  between  flows  and  payload  often  crucial 
'o'  Threats  are  real-time  &  dynamic;  response  must  be  as  well 

-  DPI  is  real-time  networking  analog  to  off-line  analysis 

-  Dramatically  shortens  threat  identification  and  response 
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Example  DPI-enabled  Applications 


SNORT 


□  Intrusion  Detection  and  Prevention 
□  Network  Flow  Analysis 
□  Data  Leak  Prevention 

□  Network  Monitoring 
□  Data  Retention 

□  Web  Content  Control 
□  Network  Forensics 


YAF 


BarnYard 


tcpdump 
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Development 

-  Prefer  Linux  for  networking  applications 

-  Limited  only  by  developer’s  imagination  and  ability  to  code 

-  Evolve  and  change  applications  with  new  requirements 

-  Develop  independent  of  underlying  platforms 


*  Deployment  a 

-  Provide  same  operational  environment  -  Linux  w* 

-  Insulate  the  applications  from  networking  delivery  infrastructure 

-  Offer  appropriate  amount  of  compute  power  for  application  to 
handle  the  offered  “speeds  and  feeds”  (10Gbit,  OC-192,  beyond) 

-  Run  multiple  applications  on  the  same  “speeds  and  feeds”  pipe 
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DPI-introduced  Challenges 


#  Finer  granularity  ->  vast  increase  in  compute  power 

#  Increased  options  for  data  manipulation  ->  flexibility 

#  Changing  networking  environment  ->  extensibility 

#  Application  and  protocol  diversity  ->  customizability 


High  compute/high  throughput  networking: 
collision  of  computing  and  networking  is  the 
key  dynamic  for  next  generation  networking 
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DPI  Hardware  Implementations 
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L5-L7 


L2-L4 


Packet  store  and 
Capture  Forward 

-  Anti-Spam 

-  Anti-Virus 
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Real-time  DPI  Appliances 
-  IDS/IPS 

-  Content  Load  Balancers 

-  Traffic  Analysis 

-  Protocol  Traffic  Shaping 


Not  Real-time 


Real-time 


Real-time  Traffic  Handling 
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10  Gbps  Considerations 


*  DPI  performance  significantly  harder  to  maintain  at  10  Gbps  speeds 

*  Network  applications  drive  overall  network  impact 


Real-time  DPI  Devices 


Enable  real-time,  inline  inspection,  analysis  and  control 

Requires  significant  processing  capacity/density  to 
perform  L7  analysis  at  10  Gbps  speeds 

Can  be  based  on  general-purpose  CPUs 
Can  be  based  on  custom  hardware 
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Real-time  DPI  Devices 


Advantages 

-  Capable  of  providing  transparent  real  time  L7  enforcement 

-  Purpose  built  architectures  can  provide  high  speed  L7 
capabilities 

Disadvantages 

-  Hardware  requirements  greater  than  those  of  simple 
forwarding  devices, 

-  Therefore,  true  10G  capable  DPI  platforms  cost  more  than 
L3/L4  capable  platforms 
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Achieving  lOGbps  (Real-time) 


*  Real-time  DPI  -  Standalone  form  factor  solutions 

-  Custom  built  appliances 

-  Servers  with  accelerator  cards 
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Bivio  Product  Highlights 


Unique  system  architecture  optimized  for 
wire-speed  packet  processing 

-  Powerful  computation  platform 

-  De-coupling  of  network  from  CPU 

-  Programmable  data  path 

-  Hardware  acceleration 

Comprehensive  software  environment 

-  Standard  Linux  development  environment 

-  Multi-application  support 

-  Integrated  management 

-  High  Availability  &  Redundancy 

-  Clustering  support 

-  Advanced  load  distribution 

Unique  scaling  capabilities  enable  true  wire- 
speed  for  any  service  at  10  Gbps  and  beyond 
Fully  Integrated  Multi-Service/Multi-Application 
DPI  Solutions 

-  Self-consistent,  i.e.,  does  not  need  any  external 
system  interaction  to  work 

-  Extensive  unified  Logging  and  Data  Correlation 

-  Software-based:  extensible  and  customizable 
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Summary  &  Key  Takeaways 

*  Internet  is  used  daily  for  many  business,  personal  & 
private  aspects 

*  Threats  are  continuing  to  grow  &  evolve 

//  CNCI  has  allocated  a  plan  &  a  budget  to  implement 
solutions  throughout  government  agencies 

^  DPI  platforms  can  be  leveraged  to  solve  challenging 
cyber  security  problems 

&  Bivio  Networks  is  the  leading  supplier  of  open  DPI 
platforms  and  cyber  security  solutions! 


